a-PATCH-e: Struts Vulnerabilities Run Rampant

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that Trend Micro customers can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

We’ve observed the filter events against this vulnerability from a large number of countries, with the majority of events sourced from regions below:

Figure 1: Graphical representation of top source countries of attackers for CVE-2017-5638

Trend Micro has also actively blocked and thwarted attacks and enumeration attempts against organizations across various industries, including universities in the U.S., Europe and South America, healthcare, internet service, and telecommunications providers, automotive manufacturers, banks and other financial institutions.

Apache Struts Vulnerabilities are Actively Exploited
The following image is an example of an exploit attempting to leverage the vulnerability used to breach Equifax:

Figure 2: Screenshot of exploitation attempt against CVE-2017-5638

On July 11, we released a filter for the vulnerability techniques observed in another critical Apache Struts application (identified as CVE-2017-9791, patched in July via S2-048). Several weeks ago, a spate of Apache Struts vulnerabilities was published, including CVE-2017-12611 (patched September 9 via S2-053). We quickly located all public exploits surrounding the vulnerability and tested them against our Digital Vaccine filters. They didn’t just block all versions of this exploit with no updates needed; digging deeper, we found these filters have already been blocking intrusion attempts for nearly two months. The diagrams below highlight the timeline of events we observed in relation to the exploit code’s availability.

Figure 3: Timeline of intrusion attempts we observed exploiting CVE-2017-5638 (click to enlarge)Figure 4: Timeline of attack attempts we observed exploiting CVE-2017-12611, based on existing filter coverage released last July for CVE-2017-9791; note that the figure is based on 5% of total customer activity (click to enlarge)

The types of attacks we have observed have been a combination of targeted or non-targeted intrusion attempts as well as automated enumeration scans for fingerprinting vulnerable servers. Below is a screenshot of an enumeration attempt using the non-intrusive ECHO command, which can be used to inform the attacker if the targeted machine is vulnerable.

Figure 5: Code snippet (highlighted) showing the ECHO command

A Lesson on Patching
A vulnerable framework can cause significant damage regardless of the kind or type of flaw, and it can affect things beyond a company’s bottom line and reputation. At stake are also the privacy and security of personally identifiable data, which can have long-term, real-life repercussions when compromised—not to mention the risk to the integrity of the infrastructure from which the information changes hands.

The takeaway? A single, vulnerable machine on a network is sometimes all it takes to affect millions. Implement defense in depth. Apply more robust patch management policies, but strike a balance between your business needs and the importance of securing your assets and data. Some best practices include:

Patching your systems and servers as well as the applications that run on them

Deploying vulnerability-driven filters to provide a wider net of protection to the network, system or server

Considering virtual patching to address unidentified vulnerabilities or platforms for which patches aren’t directly available

Enforcing the principle of least privilege, avoiding or minimizing the use of third-party applications, and disabling unnecessary components to limit your attack surface

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.